1 / 13

Software Verification 1 Deductive Verification

Software Verification 1 Deductive Verification. Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik. Lehrevaluation. Verpflichtend für die HU, im Interesse der Studierenden

ianthe
Download Presentation

Software Verification 1 Deductive Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Verification 1Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

  2. Lehrevaluation • Verpflichtend für die HU, im Interesse der Studierenden • Zeitraum: 16.01. bis 27.01.2012 • online: https://evaluation.hu-berlin.de/evaluation/ • Passwort (Token): inf-ws-11-12 • Verbesserung der Sicherheit durch sogenanntes Captcha • Completely Automated Public Turing test to tell Computers and Humans Apart • Bei Rückfragen: Dr. Elke Warmuth, Studiendekanin • Tel. 2093 5830, E-Mail: warmuth@math.hu-berlin.de

  3. Pre- and Postconditions • Dijkstra: wp-calculus (weakest precondition) • characterize the “weakest” formula which makes a Hoare-triple valid • =wp(.) iff ⊢   and⊢(') for every ’ for which ⊢’   • =wlp(.) iff ⊢{}{} and⊢(') for every ’ for which ⊢{’}  {}(weakest liberal precondition, see later) • Example: wp(x++, x==7) = (x==6) • Dijkstra gives a set of rules for wp which can be seen as notational variant of Hoare logic

  4. wp(skip, ) =  • wp(x=t, ) = [x:=t] • wp({1; 2}, ) = wp(1, wp(2, )) • wp(if (b) 1 else 2, ) =((b  wp(1, ))  (¬b  wp(2, ))) • wp(while (b) , ) = z (z)  z((b(z))  z’ (z’<z  wp(, (z’))) z((¬b(z))  )where  is a loop variant and < a wfo, z new var. ! This is a non-constructive definition ! Existence???

  5. Examples • wp(x=x-3, x>7) = x>7 [x:=x-3] = x-3>7 = x>10 • wp({x*=2; x-=3}, x>7) = wp(x*=2, wp(x-=3, x>7)) = wp(x*=2, x>10) = x>5 • wp(if(a<b) a=b, a>=b) = ((a<b  wp(a=b, a>=b)  (a>=b  wp(skip, a>=b))=((a<b  b>=b)  (a>=b  a>=b)) = T • wp(while (i>0) i--, i==0) = i>=0

  6. Partial Correctness • Weakest liberal precondition wlp(,) • wlp(while (b) , ) =   ((b)  wlp(, )) ((¬b)  ) • Dijkstra also used nondeterministic programs („guarded commands“) • guarded-command-program ::= while-program | guarded-command • guarded-command ::= b : e | b : e [] guarded-command • b: condition, e: guarded-command-program

  7. Strongest Postconditions • Dual to weakest precondition: the strongest formula which can be guaranteed to hold after execution • =sp(, ) iff ⊢   and⊢(   ') for every ’ for which ⊢   ’ • sp(x=t, )= z (x==t[x:=z]  [x:=z]) (z new) • e.g. sp(x=x-3, x>7) = z (x==z-3  z>7) = x>4 • Pre- and postconditions are important in the presence of methods and procedures

  8. Functions and Procedures • while-Programs: • whileProg ::= skip | V=T| {whileProg;whileProg} | if (FOL-) whileProg else whileProg | while (FOL-) whileProg • T is the set of terms in the signature =(D, F, R) • Now: extended signature ’=(D{void}, FF’,R) • If f is of type void, then f(x1,...xn) is an (imperative) program • term ::= F(T, ..., T) | F’(T, ..., T) • for each f F’ there must be a declaration: • decl ::= type F’ (V, ... V); whileProg • V in decl are called formal parameters • T in terms are called actual parameters

  9. No alias: formal parameters should be pairwise different • No scoping: formal parameters must be different from program variables • return statement as assignment to the function name • If a function or procedure name occurs directly or indirectly in the call graph of its declaration, it is called recursive • for the time being: no recursion • There are various ways to pass actual parameters for formal ones (value, reference, name, ...) • for the time being, we use only call-by-value • passing value w to formal parameter v has the same effect as the assignment v=w at the entry of the procedure or function

  10. Example intgcd(int a, int b) • while (a!=b) { c = max(a,b)-min(a,b); a = min(a,b); b = c; • } } int min (int a, int b) if (a<b) min=a else min=b; int max (int a, int b) if (a>b) max=a else max=b;

  11. Example int min (int a, int b) if (a<b) min=a else min=b; {x = 5; y = 7; z = min (x, y)} is equivalent to { x = 5; y = 7; a = x; b = y; if (a<b) min=a else min=b; z = min; } need pre- and postconditions to show assertions.

  12. Example intgcd(int a, int b) • {a==m>0  b==n>0} while (a!=b) { c = max(a,b)-min(a,b); a = min(a,b); b = c; • } • gcd = a; • {gcd|m  gcd|n  ...} } int min (int a, int b) if (a<b) min=a else min=b; {a<=min  b<=min  (a=min  b=min)} int max (int a, int b) if (a>b) max=a else max=b; {a>=max  b>=max  (a=min  b=min)}

  13. Contracts • weakest preconditions and strongest postconditions are related to the require-ensure-paradigm (also called assume-guarantee-paradigm): /*@ requires ensures  */void foo(...) ; is equivalent to (wp(,))  (sp(, )) • such a statement is called contract • use of contract: {[x1:=t1, ..., xn:=tn]} foo(t1,...,tn) {}

More Related